UPDATE: OWASP Dependency-Check 3.3.0

My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.3.0, which includes a lot of bug fixes and enhancements.

What is OWASP Dependency-Check?

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. It can currently be used to scan Java and .NET applications to identify the use of known vulnerable components with experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications. Additionally, OWASP Dependency-Check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.

Official OWASP Dependency-Check 3.3.0 changelog:

Bug Fixes

The dependency-check-gradle plugin can now analyze multi-project android builds. See PR #09 for more information.

In some cases extremely large project may cause dependency-check to fail due to the analysis time. Previously, the analysis was capped at 10 minutes; the timeout was increased to 20 minutes and made configurable if this continues to be an issue for some users. See issue #936 for more information.

Some pom.xml files could not be analyzed because they contained a doctype definition. The parser has been enhanced to strip the doctype definitions.

Fixed issue where, in some cases, temporary files were not correctly cleaned up in Jenkins and gradle builds.

Fixed issue where, in some cases, files were retrieved from Maven Central using HTTP instead of HTTPS. See issue #1325 for more information.

Additionally, a retry count was added when attempting to download pom.xml files during analysis.

Fixed issue where nodejs dependencies were not correctly analyzed. See issue #1355 for more information,.

Fixed an issue in OWASP Dependency-Check 3.3.0, where the CWE was not written to the CSV report.

In addition, general bug fixes, code cleanup, and false positive/negatives updates were made.

Enhancements

An Artifactory Analyzer was added to OWASP Dependency-Check 3.3.0, that can be used to in-place of the Central Analyzer for organizations that use Artifactory.

Note, for maven and gradle builds the Artifactory analyzer will not improve the analysis. The information gained by using the Central, Artifactory, or Nexus Analyzers is already obtained from the build system.

An experimental Retire JS analyzer has been added to analyze client side JavaScript.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!